Re: [TLS] Unifying tickets and sessions
Richard Fussenegger <richard@fussenegger.info> Wed, 22 October 2014 20:28 UTC
Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BECEA1A1A04 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 13:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BkZcuOb4Rok for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 13:28:21 -0700 (PDT)
Received: from mx204.easyname.com (mx204.easyname.com [212.232.28.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DCB71A0264 for <tls@ietf.org>; Wed, 22 Oct 2014 13:28:21 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1Xh2W1-0000b4-F2; Wed, 22 Oct 2014 22:28:19 +0200
Message-ID: <5448134B.8090700@fussenegger.info>
Date: Wed, 22 Oct 2014 22:27:55 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <5445775E.3050108@fussenegger.info> <54458113.1050304@polarssl.org> <20141020235832.GK19158@mournblade.imrryr.org> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <5447FE79.1050008@fussenegger.info> <20141022194302.GA6170@localhost>
In-Reply-To: <20141022194302.GA6170@localhost>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070906090104030803020301"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_IAZNFUS9blOA-Yk_lelrJDEMoU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 20:28:24 -0000
This isn't getting anywhere here, I'll try again but only once. On 10/22/2014 9:43 PM, Nico Williams wrote: > On Wed, Oct 22, 2014 at 08:59:05PM +0200, Richard Fussenegger wrote: >> [erm] That was not the original suggestion and 'negotiated cipher' >> doesn't imply that the cipher was chosen by the client. It's merely >> [...] > It does imply that the client at least constrained the choice of cipher. > > This is unnecessary complexity. I thought we were all for simplifying. Negotiation -> TLS Handshake [1] -> ssl_prefer_server_ciphers=on [2] The client will always create constraints because clients aren't supporting only the strongest ciphers and protocols. That's the reason why people configure more than one cipher and try to rescue SSL 3.0 from the POODLE. > No: because I couldn't prove that it isn't AES-256, because the server > couldn't prove that it is, because the only way to do so would be for > the server to give me its ticket encryption key, which would defeat the > purpose. > > Well, I tell a lie: the server could give the client the ticket > encryption key for expired tickets issued to the same client. But this > means having a per-client set of keys, which means having some client ID > to derive keys from, probably a public key that the client can > demonstrate it has possession of the corresponding private key, and so > on and so forth -- all much, much too complex. > > The client already has to trust the server for all sorts of things. > Having to trust it to handle ticket encryption appropriately is not much > more to ask, especially since any reasonable choice on the server's part > is such a large optimization/win over not having session resumption that > it's worth the risks of the complexity of session resumption (because > the alternative is risking less deployment). Uh … nope … > So you want the server to say "fine, I'm using the XYZ cipher that you > wanted", and now what changes? The server can't prove that it did / the > client can't prove that the server didn't. What did we gain, besides > more [in this case worth-less] complexity? Uh … nope … > One answer: someone could audit the server's compliance with this. But > who?! Not the client. Some authority perhaps, which then opens a can > of worms. And then what do we gain? What about clients who end up > getting weaker ticket encryption ciphers than the server's preference? > > Nico Telling people to use appropriate keys during all involved steps is exactly what I propose and absolutely nothing of what you are alleging me of. > Key strength **MUST** be at least of equal strength for ticket/token encryption of the strongest supported cipher. Thus not downgrading any of the available ciphers that can be used for communication. [3] I'm getting the uncomfortable feeling that all I've written so far was in Klingon … Regards Richard [1] http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#TLS_HANDSHAKE "Negotiating a secure TLS tunnel is a complicated process, […]" [2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers [3] The RFC shouldn't use the word 'negotiated' because it apparently isn't understood correctly.
- [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Douglas Stebila
- Re: [TLS] Unifying tickets and sessions Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Stephen Checkoway
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Joseph Salowey
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions David Leon Gil